SOHO Router vendor DrayTek has just published a security White Paper for running a wireless router in your home or small business. Our take on this “Wireless Best Practices”: we love stuff like this! The more people hear these messages from diverse sources, the better. DrayTek has kept its recommendations vendor-neutral, so they can be used for your home router even if it isn’t from DrayTek. You can download the document here and hopefully learn something.
Of course, we can’t simply leave it at that – we’ll use these recommendations as a jumping off point and encourage more router vendors to encourage their customers to be more security conscious. Here’s what we’d add to their recommendations (the numbers refer to their numbers):
Operational/SysAdmin Best Practice
1. Draytek says that “Changing the default password is the first thing you should do on any new installation.” We disagree. It SHOULD not be optional. We don’t know why, but router vendors still allow you to run with default credentials, that’s why so many routers are so easy to break into with admin/admin. Please, please, please, make changing your admin password mandatory.
2. Yes, we agree, passwords should be strong. But how about going one step further? How about making guessing of passwords harder by not allowing hackers to use automated methods? Right now, the typical router will allow you to guess at the admin password at a rate of about a dozen a second if you have a foothold on the router’s network through a compromised computer. And non one tries to stop this. How about using a CAPTCHA to slow things down, or better yet, after 3 incorrect tries, wait 5 minutes before allowing more guesses.
3. How about timing out the user after a short time?
4. How about “Do not offer remote management”? Other things like TR-069 are great except for the fact that the way they’ve been deployed is horrific
7. Hmmmm…, not sure what to think here. It’s true that lots of signs of router compromises are going to be there either out in the open or in logs. But… we’re not sure that the typical home user will be able to notice them. There’s a reason why trained professionals look at your x-rays: even though a problem is right there out in the open, unless you know what to look for, you’ll miss it. The same is true of your router logs.
One of the motivations for building RouterCheck is exactly this. We know that most people aren’t going to know what to look for searching through their router’s configuration. RouterCheck is the “expert” that will help you make sense of it all.
8. We know updating your firmware isn’t easy. It’s also not easy trying to keep track of when the firmware is updated. That’s why RouterCheck looks for things like this and alerts you when to upgrade.
12. Not quite sure what to think here. They’re suggesting that home users disable DHCP?? Not a good idea. OTOH, disabling WAN-side pings is a great idea – in fact, it should be off by default. As for hiding your SSID, the jury’s still out on this one. Common wisdom says that it doesn’t really help.
19. A good idea. RouterCheck keeps up to date with all of the latest vulnerabilities, so running a check will immediately tell you what if anything you’re vulnerable to.
Wireless LAN – Best Practice
8. Consider disabling WPS in all cases. It’s been shown to be badly broken, and having it enabled will allow hackers easy access to your wireless network.
10. A very good point. Also be aware that many rogue public WiFi systems will play bad games with their DNS. So if you log into any service that needs to be secure, be sure that HTTPS is being properly used.
Okay, so that’s a lot of things we’d add. But even so, we think that DrayTek did a great job in bringing this paper to the public. We hope to see things like this from other vendors.